Gentoo Archives: gentoo-user

From: "Eric S. Johansson" <esj@××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Testing how secure a server is...
Date: Wed, 03 Aug 2005 14:33:02
Message-Id: 42F0D3C7.3080908@harvee.org
In Reply to: Re: [gentoo-user] Testing how secure a server is... by Raphael Melo de Oliveira Bastos Sales
1 Raphael Melo de Oliveira Bastos Sales wrote:
2 > He claims that if someone invades my machine, it will have direct
3 > access to all data. That I have to distribute the database, put it in
4 > another machine and have the web application access that database over
5 > the network. I feel this is a bit overkill. Not only it would force
6 > the data travel through the network, slowing it down, but would also
7 > increase the complexity of the security layout, forcing to make the
8 > two machines very secure, unstead of just one of them. Besides, I
9 > might be wrong, but I feel that a Local Socket is faster and safer
10 > than Corba trasmitting data over the internal network.
11 >
12 > If anybody has any comments, I'd be more than happy to hear it.
13
14 first, on the issue of distributing, yes, you will have a nominally more
15 secure application. This assumes of course that the attacker cannot
16 take any part of your application and use it against you by accessing
17 the database themselves.
18
19 the interesting paradox is that by moving your application to another
20 machine and using a network between them for communicating data, the
21 application usually runs faster.
22
23 Think carefully about the RPC mechanism. Don't try to reinvent the
24 wheel with your own socket connection because you will spend a lot of
25 time getting it right and validating it when you could be doing other
26 things that are more fun, productive, and impressing your boss with your
27 lack of "not invented here" attitude.
28
29 corba is complex to get started but it is one of the faster RPC
30 mechanisms available (if memory serves). XML RPC is trivially easy to
31 use but is much slower because of XML. Sun RPC. Well, it's a gray
32 beard. Try not to use it.
33
34 On the security profile, don't sweat it. The best you can do is set out
35 the local machine firewalls to deny access from each other except for
36 the database connection. ssh should only be permitted from your green
37 network. Everything else really depends on what you need exposed and where.
38
39 connection security can be handled with SSL. Many database engines
40 support this (if memory serves).
41
42
43 ---eric
44 --
45 gentoo-user@g.o mailing list